refreshToken seem to be one time use now #279
Comments
|
Same issue reported here by other users: https://www.reddit.com/r/HOOBS/comments/ftdbdm/anybody_else_having_trouble_with_homebridgering/ I had the same problem myself today but it seems to work fine now after logging in on the Ring website and confirming with the 2fa code then getting a new token with the ring-auth-cli. |
|
I can't even login to the ring website with my credentials from my home internet anymore, seems like when pm2 was doing an infinite loop retry with my account it locked it up :( I have to login with my phone's LTE connection right now. |
|
I have similar issues. I received several login attempt emails yesterday and 2fa texts. I tried getting a new RefreshToken via ring-auth-cli and restarting hb service but ring timed out. Also, I had to login to my Ring account off WiFi - through LTE only. |
|
Is it possible Ring just has something temporarily broken on their end? I haven’t dug in yet to see what errors I’m getting, but my stuff stopped sometime between yesterday afternoon and today. I can’t login at all to the website regardless of LTE or WiFi. It lets me put in my info, I get the 2 FA email, but then I get a 404 error that the accounts page doesn’t exist. I also use a separate guest user account for my Homebridge connection, so I wouldn’t have expected my primary account to be effected. |
|
Yes, I had to obtain a new token today using ring-auth-cli and typing in the new 2fa number texted to my phone. I had just obtained a new token a few days ago...so yeah, maybe the lifetime is now just a day. Kind of a pain, but it still works. |
|
Hey everyone, it looks like I finally got hit with this issue as well as my homebridge-ring setup just stopped working today. Unfortunately I've been really slammed with work and family over the last few weeks, so I haven't had a chance to take a look. I do think Ring has been having some weird issues over the past few days, so it's possible this issue will go away on its own. If not, I'll try to take a look as soon as I am able. Thanks for your patience! |
|
It seems to have resolved for me today, it might have to do with a Ring outage in the past few days. If you guys see https://status.ring.com/ there was a Ring outage on 4/2 that's resolved now which might match this timeline. |
|
Got a fresh token yesterday and today it doesn't seem to work anymore, do I have to set it up daily now? |
I think that’s what we’re still trying to figure out. Ring was having some issues, so it’s unclear if those were part of the problem. I wasn’t sure why mine stopped working so I got a fresh token yesterday and that got me up and running. Time will tell whether it continues, but it’s still up as of now. |
|
I've setup a notification for when my token no longer works and back when this started it was happening several times an hour but now seems to be consistently once per day, so not sure what is going on. The ring app on my phone has still maintained a token throughout all this so I'm sure it must be possible to fix this... |
|
My token is valid for single use, not once a day. Every time I run my script, I need a new token. It may be per connection or session? This is such a pain, I hope someone can come up with a work around. And yes, the iPhone app works as usual, so maybe the server is sending a code directly to the app, which in turn replies - or something. Maybe this git can do the same? |
One thing I have noticed while looking at this is that the refresh token changes every time it's used to create a new access token (creating an access token returns both the token and a new refresh token) - slightly unusual as a refresh token is supposed to be long-lived but I don't think there's anything in the oAuth spec that prevents this happening... If this is a recent change by Ring and you're using a static refresh token in your configuration then that could be why they seem to now be "single use". This API has an event named onRefreshTokenUpdated that you can subscribe to in order to update the refresh token in your configuration when this happens. I believe the homebridge client already does this, but if you've developed your own integration you'll need to handle that. |
|
Can I use email and pass for now instead of refreshToken? |
|
I am having the same problem of randomly requring me to do 2FA again. My ring account didn't even have 2FA set up. So I deleted all the authorized devices and enabled 2FA. Same problem. |
|
Update: Storing and replacing the new refresh token after every authentication has resolved the issue for me. Initially I thought this was only working for 24 hours but I realised that my ring-mqtt service was being restarted daily, so was re-authenticating but not storing the new refresh token. I fixed that and it seems to be working fine now. |
|
Sounds like there were a couple of factors at play here. First, Ring either had an issue or made a change that cause refresh tokens to be single use instead of long-lived. I just tested and was able to use a refresh token multiple times, so it's possible that they reverted/fixed that change. Second, I think most of the comments on here are from users that are coming from projects other than I appreciate all of the input and investigation on this issue, and I hope that it is resolved at this point. I'm going to close this issue for now, but I am open to additional comments if users are still having issues that are reproducible. Hopefully it's a simple as Ring made a bad change and reverted it over the past week. |
Thanks for looking into it. As an actual user of your plugin, I can report that I updated to the latest version and got a new token on Friday afternoon. We’re now approaching 48hrs later and I haven’t had any further issues. I believe you’re absolutely right and this was more than likely an issue on Ring’s end. |
|
After more testing, it looks like the refresh tokens do expire shortly after their first use (< a couple minutes). So it's critical that libraries subscribe to |
|
I was locked out of my account due to too many 'invalid codes'. The first ring chat rep fixed the problem, but it happened again. The second rep told me that I had to wait the 24 hours before I could login again. This affects web access and my script that downloads my videos to my laptop. They refunded me for my annual service, and gave me a free trial for a year, until April 2021. BTW, they gave me a number to call for support, probably nothing useful, but it is 800-656-1918. FYI - I was trying to change my script due to the ring changes related to token use. I ran into problems integrating the code in ring-auth-cli.js to obtain the token (token code which is SMS to my phone). This caused all the 'invalid codes' because I kept running the script, trying to debug it. I want to obtain user input from the console (which is the token sent to my cell) then have the script continue. Being new to TypeScript, I am still trying to figure out how to block for user input without the script continuing its execution. I was running ring-auth-cli.js, then cut/paste the token into my script, which works fine. But I wanted to avoid the manual/cut paste and have my script work like ring-auth-cli.js - just thought I would mention it. |
|
BTW, the ring iPhone app didn't seem to be affected by the lock out. It would be nice to be able to avoid any lockout using the browser on my mac or my script which uses this API. |
|
Updated to my homebridge-ring plug-in add now my hoobs server just stops running |
|
I think that's a hoobs issue. @askovi? |
|
🤔 |
|
It was working yesterday tho , right up until I updated this morning |
|
Did anyone else lose their notifications when this started? While I was poking around and getting a new token I figured it was a good time to update the plugin, so I can’t say it doesn’t have to do with that. It seems to be working find otherwise once I got the new token on Friday, but the Notifications are gone. |
|
FYI - I was supposedly locked out of my account due to a 2SV issue for 24 hours, which they claim is different than a 2fa issue, but I was back in at about 12 hours later, not 24 hours. I had restarted my VPN, not sure if that mattered - presumably got a new IP. The first token I get only lasts one time, then the tokens after that seem to last longer. Sometimes I see the refresh callback getting called 100 times in a row. |
|
I'm still locked out of my ring in all way except my iOS app. Every day at 7am and 11:30am I get several failed attempt/verification codes. When I attempt to get a refresh token via ring-auth-cli I receive: Error: Failed to fetch oauth token from Ring. You have requested too many 2fa codes. Ring limits 2fa to 10 codes within 10 minutes. Please try again in 10 minutes. (error: error requesting 2fa service to send code) I try again any time beyond 10 minutes and I get the same message. When I go to login in to my account via the website, it gives me a message that my account it locked for 24 hours. I'm thinking I have to uninstall the plugin and wait for 24 hours? I contacted Ring and they have not been able to help so far. |
|
Mine works just fine it’s been over a day now |
|
@ekovacs34 I would definitely recommend you turn the plugin off for a few days and see if that prevent the account locking. It's also possible that someone is trying to brute-force their way into your account, so it would probably be a good idea to change your password |
|
This is what I had too, but I don't use the plugin, I use my own script. It would be nice to understand why the iOS app stills works, but nothing else does. The script, which I run continuously - polls the server every 60 sec and downloads any fresh videos. It uses any new token that is provided by the server (as per suggestion above). It has been running for a few days straight now without any issues. When the lockout happened, I called and they provided me with a refund -which I asked for. After roughly 12 hours the lockout was cleared, during those 12 hrs I did not attempt to access the server except thru the IOS app. |
|
Thanks. I had reset my password on the first day of this issue because I'd assumed something was going on with my account. I uninstalled the plugin for now and will see, once my account unlocks, if I can fire things back up by reinstalling and getting a new refresh token. I appreciate all the information everyone is sharing. |
|
In my script that continuously polls the server to pull down video files, the initial 'boot strap' token seems to refresh immediately, then each token after that refreshes every 1 hour. |
|
All, thanks for the help and guidance. My account unlocked after 24 hours, I reinstalled the plugin, and everything worked like a charm - so far. Thanks again, especially to @dgreif |
Since yesterday I noticed refreshTokens seem to be one time use now, which means for any services that use ring-client-api and homebridge-ring autostarting them does not work anymore, since it requires a config change each time. Is anyone else seeing the same issue?
The text was updated successfully, but these errors were encountered: